Home » Identity & Access » Federated IDM

The Truth About Federated Identity Management

When it comes to setting up federated identity management, the security benefits (and potential drawbacks) are not what you might expect

By Sarah D. Scalet

Page 4

Meanwhile, Microsoft (along with IBM) has created a separate but proprietary

specification known as WS-Federation. WS-Federation allows customers to connect their Active Directory installation with other Active Directory installations, using a product known as—you guessed it—Microsoft Active Directory Federation Services. This system can read SAML tokens, along with other types of identity information (Microsoft calls its tokens Kerberos tickets), but it handles the tokens in a different way.

Although Microsoft has handed Oasis some of its other specification sets for open use, so far it has not released WS-Federationnor, according to a spokesman, does it have any immediate plans to do so. In the meantime, many organizations have been reluctant to build projects around WS-Federation because of licensing concerns, and have turned instead to SAML/Liberty.

"All the big installations use SAML tokens and Liberty protocols," Wagner says. "Those guys weren't waiting around for Microsoft."

In fact, many say that federated identity management is SAML. "If you talk about the true line of federation, it's really SAML," says Dennis Brixius, VP and CSO of McGraw-Hill in New York City. "Is

[WS-Federation] as good? Probably. Have a number of vendors adopted it? Not quite.

It comes down to, if I want to do A and you're doing B, then we have a disconnect. Could we end up having two? Absolutely. But having two just adds to the cost of doing business."

That cost right now is for tools that speak both languages. Vendors of federation tools—among them, RSA, IBM with its Tivoli product line, Ping Identity, and HP with its acquisition of Trustgenix—are building links to both WS-Federation and SAML/Liberty protocols into their wares. Customers then have to integrate those products with either their identity management infrastructure or whatever application they want to allow users to access.

From a security standpoint, which route any one company should go depends not only on its operating environment but also on its philosophy about the ongoing debate between open-source and proprietary solutions. The more organizations adopt either specification, the more attractive it could become in the future for hackers looking for vulnerabilities.

"It's all about paranoia, I guess," says Martin Gee, founder and CTO of ICSynergy, a consultancy that to date has worked on about nine implementations of federated identity management. "Proponents of open sourcing say that by making everything public, everybody can beat on it [to improve the security]. Others maintain that if it's open, everybody knows how to break in."